Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

INTERNET STORM CENTER TECH CORNER

Learn how organizations with limited budget and staff can set up a successful Security Operations Center (SOC) without costly services. Get practical advice in this free eBook. Download now. http://www.sans.org/info/199665

Girl Scouts of the USA Will Introduce 18 Cybersecurity Badges

(November 13, 2017)

The Girl Scouts of the USA (GSUSA) will introduce 18 new cybersecurity badges next year. GSUSA is partnering with Palo Alto networks to develop the curriculum. The partnership was announced in June 2017.

[Editor Comments]

[Paller] Wonderful! 2018 may be a watershed year for young women in cyber. The Girl Scouts program will launch soon after the 2018 High School Girls CyberStart program (in February) sponsored by the governors of 9 states, along with top cybersecurity and other tech and financial companies who lead in bringing STEM opportunities to young women.

[Henry] This is outstanding. Getting young girls interested in cybersecurity, often before they've begun to search career choices, is an opportunity to bring more females into this field. The existing and ever-growing shortage of cybersecurity specialists necessitates exposure to all youngsters in order to identify those interested in pursuing this career option further.

[Pescatore] Great stuff. Chasing Cub Scout badges caused me to build a small crystal radio receiver, which got me into ham radio, which led to choosing Electrical Engineering in college and taking a job in security at NSA when I graduated!

US States Are Buying Cyber Insurance

(November 10, 2017)

The number of US states that have purchased cyber insurance has grown from 10 in 2015 to 19 in 2016, according to information gathered from state CIOs. The policies usually cover costs associated with investigations and data restoration, as well as customer notification, legal and public relations services, and credit monitoring.

[Editor Comments]

[Pescatore] I remain skeptical about the value of cyber insurance and the experience in Utah tends to reinforce my feeling. They are paying $230K/year for $10M coverage with a $1M deductible. They started paying this *after* experiencing a breach of 780,000 citizen records, which likely had a real cost in the range of $75M. Many policies have "existing condition" and other limiting clauses - if Utah had the insurance in place before the 2012 breach, the policy may not have paid off at all. But, even it did, at most it would have resulted in saving $8.77M out of the $75M in cost. I'll bet that if they had spent $1.23 million in 2011 (the deductible and just one year's premium) they could have avoided the breach.

[Henry] I've worked with insurance companies over the past two years, and I've seen the market change substantially. The biggest impact has been the accumulation of better actuarial data, enabling insurers to better assess their risk, and make their products more affordable and better suited for their customers' needs. This is especially helpful in the case of small and medium businesses with limited budgets; cash-strapped states often fit into this category.

[Northcutt] Well researched article, worth a read. Take note of the differences between premiums and level of coverage. Also, make sure to read the 2016 SANS cyber insurance survey and this related new risk management paper:

Shadow Brokers

(November 9, 12, & 13 2017)

Shadow Brokers

began releasing batches of US intelligence cyberweapons more than a year ago, in August 2016. Former defense secretary and CIA director Leon Panetta has called the leaks "incredibly damaging." With morale at the agency reportedly plummeting, some NSA employees have left for the private sector. Not only has

Shadow Brokers

leaked stolen information, but it has also identified at least one former member of the NSA's elite Tailored Access Operations (TAO) hacker team.

[Editor Comments]

[Pescatore] The telling elements in this article: "We have had a train wreck coming," said Mike McConnell, the former N.S.A. director and national intelligence director. "We should have ratcheted up the defense parts significantly." Offense informs defense, yes. But intelligence agencies in charge of defense too often results in defense being pushed down the priority list.

Read more in:

NYT: Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core

Firefox 57 Will Have Better Sandboxing for Linux Users

(November 13, 2017)

Mozilla plans to release Firefox 57 on Tuesday, November 14. The newest version of the browser will include improved sandbox security for users running Firefox on Linux. Mozilla has already made improvements in Firefox sandbox for Windows; the newest release will bring the Linux version on par with the Windows version.

AV Vulnerability Lets Attackers Restore Quarantined Files

(November 13, 2017)

A flaw that affects most major antivirus products can be exploited to place malicious files on systems running the vulnerable software by moving "a previously quarantined file to any arbitrary filesystem location." The exploit requires local administrative privileges. Several companies have already taken steps to fix the vulnerability.

[Editor Comments]

[Williams] The linked article is incorrect that the vulnerability requires local administrator permissions. It most definitely does not. The vulnerability abuses NTFS directory junctions. It would be relatively difficult to abuse in the wild, but doing so would result in full system compromise. This vulnerability highlights how obscure features like directory junctions can be abused by attackers. The problem is that most developers creating applications don't know about directory junctions and definitely don't have them as part of their threat model.

Read more in:

V3: Major anti-virus packages vulnerable to exploit that can 'spring' suspicious files from quarantine

Google Study: Phishing is Biggest Threat to Account Hijacking

A study from Google and researchers at the University of California Berkeley says that phishing, not ransomware or data breaches, poses the largest threat to Google account security.

[Editor Comments]

[Pescatore] And phishing is enabled by reusable passwords. What Google calls "Advanced Protection" for personal accounts (two factor authentication) needs to be "Standard Protection" for business accounts. A recent survey showed something like 28% of online users now use 2FA for at least one online account - consumer adoption is higher than business adoption. Users are routinely using fingerprint authentication on Apple and Android phones, but at work they are entering reusable passwords!

Read more in:

Engadget: Google study shows how your account is most likely to be hijacked

DoD Vulnerability Disclosure Program

(November 9, 10, & 13, 2017)

The US Department of Defense's (DoD's) vulnerability disclosure policy (VDP) has resulted in the identification and patching of more than 2,800 security issues in public facing DoD websites and applications hosted on those websites. The program has been running for just under a year. Unlike the Hack the Pentagon program, VDP does not offer bounties for vulnerabilities that are submitted.

[Editor Comments]

[Pescatore] Good to see the DoD mixing a passive vulnerability disclosure program with active bug bounty programs. Key point 1: these vulnerabilities were found mostly in systems that had already successfully gone through the government Certification and Accreditation process. Key point 2: In private industry, managed bug bounty programs are being extended to pre-production code -finding vulnerabilities earlier is always cheaper/better.

Brad Smith Renews Call for Digital Geneva Convention

(November 10, 2017)

Speaking at the United Nations in Geneva, Switzerland last week, Microsoft president Brad Smith reiterated his call for a cyber Geneva Convention. Smith stated that "governments should agree not to attack civilian infrastructures, such as the electrical grid or electoral processes" and should also agree not to steal intellectual property.

[Editor Comments]

[Henry] I have long said that the threat from cyber attacks is similar in many ways to nuclear proliferation, and that it continues unchecked unless there is nationstate-to-nationstate discussion on the acceptable rules. Brad Smith uses the term "Geneva Convention" to describe "standards of international law," and he's absolutely correct. There are human beings behind every single cyber attack, and every one of them resides in, works at, or is sponsored by a nationstate. There is a need for those nations to take responsibility for and/or control their citizens (or their own state actions) if we ever expect to have relative safety in this forum.

WikiLeaks Claims CIA Used Phony Certs to Impersonate Kaspersky

(November 9 & 10, 2017)

WikiLeaks has released what it says is source code for a US intelligence cyber tool known as Hive that WikiLeaks says the CIA uses to hide its activity while installing malware on targeted systems. Hive uses phony digital certificates to impersonate other organizations, including Kaspersky Lab.

Man Charged for Allegedly Using DoS-for-Hire Services Against Former Employer

(November 10 & 13, 2017)

US federal prosecutors have charged a man for allegedly using vDOS service, which launches attacks for its customers against specified websites. John Kelsey Gammell allegedly used vDOS and other services to launch attacks against websites belonging to his former employer and several other companies. Gammell has been charged with intentional damage to a protected computer.

Read more in:

KrebsOnSecurity: Hack of Attack-for-Hire Service vDOS Snares New Mexico Man

Electronic Frontier Foundation Has Some Ideas for Congressional Response to Equifax Breach

(November 7, 2017)

The Electronic Frontier Foundation offers advice for how US legislators should respond to the Equifax data breach. The suggestions include establishing a federal victims advocate within the executive branch, either as an official or as a department, to offer support to victims of data breaches; granting the Federal Trade Commission (FTC) rule making authority to establish and enforce security standards; and mandating credit freezes rather than credit monitoring for breach victims.

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.